Commit graph

1317 commits

Author SHA1 Message Date
emily ed3d75d0b1 Add GCE docs for GCP Auth Backend (#3341) 2017-09-19 07:44:05 -05:00
Bruno Miguel Custódio 2abddb248e Fix a few quirks in the GCP auth backend's docs. (#3322) 2017-09-19 07:41:41 -05:00
Vishal Nayak e99640f462 Add 'pid_file' config option (#3321)
* add pid_file config option

* address review feedback

* address review comments
2017-09-16 17:09:37 -04:00
Chris Hoffman 1029ad3b33 Rename "generic" secret backend to "kv" (#3292) 2017-09-15 09:02:29 -04:00
Chris Hoffman a2d2f1a543 Adding support for base_url for Okta api (#3316)
* Adding support for base_url for Okta api

* addressing feedback suggestions, bringing back optional group query

* updating docs

* cleaning up the login method

* clear out production flag if base_url is set

* docs updates

* docs updates
2017-09-15 00:27:45 -04:00
Chris Hoffman 9d73c81f38 Disable the sys/raw endpoint by default (#3329)
* disable raw endpoint by default

* adding docs

* config option raw -> raw_storage_endpoint

* docs updates

* adding listing on raw endpoint

* reworking tests for enabled raw endpoints

* root protecting base raw endpoint
2017-09-15 00:21:35 -04:00
Chris Hoffman 2e60b20eae update enterprise urls /docs/vault-enterprise -> /docs/enterprise (#3333) 2017-09-13 15:37:40 -04:00
Bruno Miguel Custódio 886a0acee6 Fix navigation and prameters in the 'gcp' auth backend docs. (#3317) 2017-09-11 15:26:24 -04:00
Adam Duke a3f97c5e3e fix typo in policies documentation (#3302) 2017-09-07 11:55:24 -04:00
Jeff Mitchell 9578361513 Massive update to response-wrapping concept page 2017-09-01 08:32:55 -04:00
Jeff Mitchell 8acef196a8 Add 'discard' target to file audit backend (#3262)
Fixes #seth
2017-08-30 19:16:47 -04:00
Joel Thompson caf90f58d8 auth/aws: Allow wildcard in bound_iam_principal_id (#3213) 2017-08-30 17:51:48 -04:00
stephan stachurski e396d87bc5 add support to use application default credentials to gcs storage backend (#3257) 2017-08-30 15:42:02 -04:00
Seth Vargo 9f80099fae
Remove fake news about custom plugins
This also adds a redirect from the old page to the new one
2017-08-30 12:57:45 -04:00
Christopher Pauley eccbb21ce8 stdout support for file backend via logger (#3235) 2017-08-29 14:51:16 -04:00
Brian Kassouf 23089dafbc Add basic autocompletion (#3223)
* Add basic autocompletion

* Add autocomplete to some common commands

* Autocomplete the generate-root flags

* Add information about autocomplete to the docs
2017-08-24 15:23:40 -07:00
Serg 66b178f969 Update index.html.md (#3233) 2017-08-24 10:08:35 -04:00
Seth Vargo ec9e187ce4 Thread stderr through too (#3211)
* Thread stderr through too

* Small docs typo
2017-08-21 17:23:29 -04:00
Seth Vargo 1f45a6c96e Addd more SSH CA troubleshooting (#3201)
* Add notes about pty and other permit-* extensions

* Update troubleshooting

* Add an example of JSON for sign

* Fix a bug about what keys to push up
2017-08-21 17:22:54 -04:00
Calvin Leung Huang 73fd103456 Update gcp auth backend docs (#3209)
* Update gcp auth backend docs

* Minor formatting and wording fixes

* Minor formatting fixes
2017-08-18 16:25:52 -04:00
Seth Vargo b4bec62d47
Typo fix 2017-08-16 18:38:35 -04:00
Seth Vargo 7b1e013511
Refactor SSH CA backend docs 2017-08-16 18:38:35 -04:00
Brian Kassouf 406396603a Fix a few links (#3188) 2017-08-16 10:27:12 -07:00
Jeff Mitchell bbcbe1f6d5 Fix ping docs location 2017-08-16 12:57:31 -04:00
emily 31a994e452 Initial GCP auth backend documentation (#3167) 2017-08-15 22:03:04 -04:00
Jeff Mitchell 0c2c078e48 Add PingID MFA docs (#3182) 2017-08-15 22:01:34 -04:00
Brian Kassouf 89b81bcb4c Oracle plugin docs (#3131)
* Add oracle database docs

* Add oracle database docs

* Fix commas in json output

* Update oracle.html.md
2017-08-15 17:24:01 -07:00
Andy Manoske bc7d77c83f Update index.html.md
Updated replication docs for DR
2017-08-14 19:02:02 -07:00
Jeff Mitchell 035d37cd36 Fix hanadb link 2017-08-14 13:04:26 -04:00
Lucas Vasconcelos Santana ea2d4c7d55 add scheme to the redirect_addr example 2017-08-14 10:59:44 -04:00
Lucas Vasconcelos Santana 914fab79ce add scheme to the redirect_addr example 2017-08-14 10:59:44 -04:00
Seth Vargo 8ee362744b Break SSH types into their own pages (#3157)
@jefferai and I discussed this on Friday. With three fully-documented
SSH backends, the page is lengthy, ungreppable, and intimidating. This
commit separates the SSH backends into their own pages with as little
text changes as possible.
2017-08-14 10:49:41 -04:00
Seth Vargo 0274a0f639 Rename database plugins for SEO (#3156)
When we "nest" like this, it's important to use a common suffix,
"Database Secret Backend" in this case, so that the SEO minions can
properly group search results for end users.
2017-08-14 10:46:39 -04:00
Jeff Mitchell 75bc43e961 Update github comment 2017-08-11 17:03:18 -04:00
Seth Vargo d931a2fa85 Remove references to VSI (#3143)
Andy approved
2017-08-10 20:47:59 -04:00
Issac 07dc10cdc8 Add TLS config to skeleton plugin (#3137) 2017-08-09 11:41:17 -07:00
vishalnayak c88db7b185 docs: Add API section for MFA docs 2017-08-09 13:26:29 -04:00
vishalnayak 0a0e697e05 docs: fix broken link 2017-08-09 13:17:56 -04:00
vishalnayak 254c1b6ae0 docs: Added identity concepts 2017-08-09 13:08:05 -04:00
vishalnayak 9844475b64 docs: Add X-Vault-MFA to the list of env vars 2017-08-09 11:31:30 -04:00
Chris Hoffman e3e5be4617 API Docs updates (#3135) 2017-08-09 11:22:19 -04:00
Jeff Mitchell d8a3bccb43 Fix cassandra doc link 2017-08-09 10:32:03 -04:00
Vishal Nayak 6d6e84f804 docs: MFA usage details (#3133) 2017-08-08 23:48:31 -04:00
Jeff Mitchell 5cb3a79568 Add an extra sentence to the github warning 2017-08-08 21:10:15 -04:00
Calvin Leung Huang 95af5bf6c7 Add plugin backends docs (#3125)
* Add docs on plugins/backend/reload, add plugin backend guide

* Fix docs headers

* Fix API endpoint description

* Update plugin guide and internals pages
2017-08-08 12:39:19 -04:00
Chris Hoffman 191d48f848 API Docs updates (#3101) 2017-08-08 12:28:17 -04:00
Jeff Mitchell accba5287c Add a note about GitHub auth backend security 2017-08-08 10:26:05 -04:00
Paulo Ribeiro 1e3c74862e Fix minor grammatical error (#3110) 2017-08-04 11:08:49 -04:00
Jeff Mitchell 65d7face69 Merge branch 'master-oss' into issue-2241 2017-08-03 07:41:34 -04:00
Gobin Sougrakpam 8e01c994bf tls_client_ca_file option for verifying client (#3034) 2017-08-03 07:33:06 -04:00
Jeff Mitchell 7e3ff5e56c Add PROXY protocol support (#3098) 2017-08-02 18:24:12 -04:00
Minkyu Kim 68fd01e3fc Fix outdated documentation about AWS STS credentials (#3093) (#3094) 2017-08-02 11:18:35 -04:00
Jeff Mitchell 4885b3e502 Use RemoteCredProvider instead of EC2RoleProvider (#2983) 2017-07-31 18:27:16 -04:00
Brian Rodgers d8e47e6f79 docs: Added text to clarify that root does not refer to AWS root creds (#2950) 2017-07-31 17:31:44 -04:00
Oliver Beattie e5a3156429 Fix docs to use new style 2017-07-31 15:24:08 +01:00
Filipe Varela a5a480551c Makes naming consistent w/ other storage backends (ie: etcd) 2017-07-31 15:18:07 +01:00
Filipe Varela b0446a2b25 Adds docs for new configuration options 2017-07-31 15:18:06 +01:00
Oliver Beattie 3919f38bd5 Add a (basic) Cassandra storage backend 2017-07-31 15:18:01 +01:00
James Phillips 0ab5b0e26b Fixes a typo in the VSI doc. (#3047) 2017-07-26 12:18:52 -04:00
Jeremy Voorhis 87d4014b6b s/alterate/alternate/ (#3056) 2017-07-26 11:44:06 -04:00
Vishal Nayak a80d7fb9c8 docs: Identity Store (#3055) 2017-07-25 18:33:17 -04:00
Chris Hoffman 2aa02fb3f0 CockroachDB Physical Backend (#2713) 2017-07-23 08:54:33 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Joel Thompson 3704751a8f Improve sts header parsing (#3013) 2017-07-18 09:51:45 -04:00
Gobin Sougrakpam 2ddbc4a939 Adding option to set custom vault client timeout using env variable VAULT_CLIENT_TIMEOUT (#3022) 2017-07-18 09:48:31 -04:00
Andy Manoske d82f231753 Update configuration.html.md (#3029) 2017-07-17 14:37:32 -04:00
Jeff Mitchell 4387871bca Add max_parallel to mssql and postgresql (#3026)
For storage backends, set max open connections to value of max_parallel.
2017-07-17 13:04:49 -04:00
Seth Vargo ce1808f77d Update Policies and Auth concepts pages (#3011) 2017-07-14 11:15:22 -04:00
Jeff Mitchell 8903f68bf6 Reformat some wrapping docs 2017-07-13 19:02:15 -04:00
Tony Cai 07088fe8a0 Added HANA database plugin (#2811)
* Added HANA dynamic secret backend

* Added acceptance tests for HANA secret backend

* Add HANA backend as a logical backend to server

* Added documentation to HANA secret backend

* Added vendored libraries

* Go fmt

* Migrate hana credential creation to plugin

* Removed deprecated hana logical backend

* Migrated documentation for HANA database plugin

* Updated HANA DB plugin to use role name in credential generation

* Update HANA plugin tests

* If env vars are not configured, tests will skip rather than succeed

* Fixed some improperly named string variables

* Removed unused import

* Import SAP hdb driver
2017-07-07 13:11:23 -07:00
Will May 23ff17c769 Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 09:42:37 -04:00
Jasper Siepkes 5ae38eb745 Added documentation for working with MySQL wildcards in GRANT (#2963) 2017-07-04 13:59:08 -04:00
Brian Shumate 5fb9c73e1d DOCS: fix typo (#2965) 2017-07-03 12:40:31 -04:00
Cameron Stokes 711d6e6569 [docs] Add requirements for hsm. (#2941) 2017-07-01 21:21:51 +01:00
Seth Vargo 00e2213790 Add rekeying guide & move guides to top-level (#2935) 2017-06-29 14:43:43 +01:00
Brian Shumate 7a8b16f441 Docs: Expand Telemetry documentation (#2860) 2017-06-29 04:02:48 +01:00
Brian Boerst 0631c02558 Typo fix in vault enterprise/replication docs. (#2932) 2017-06-29 04:01:32 +01:00
Seth Vargo cb7e3051c0 Merge pull request #2914 from hashicorp/sethvargo/ec2authimage
Add diagram for EC2 Auth flow
2017-06-28 07:31:37 +08:00
Seth Vargo ca966b6e79
Re-org and move text around in list instead 2017-06-27 22:38:16 +08:00
Seth Vargo 16149fbbf2
Capitalize C 2017-06-27 22:38:16 +08:00
Seth Vargo 436d656a32
Add diagram for EC2 Auth flow 2017-06-27 22:38:16 +08:00
Armon Dadgar 4cd3a56b8b adding link to security model 2017-06-26 17:43:04 -07:00
Armon Dadgar fb8b737ae8 website: Add more hardening tips 2017-06-26 14:00:36 -07:00
TheCodeAssassin 9e09899c69 Small typo fix (#2921) 2017-06-26 10:08:18 -04:00
Cameron Stokes e28244cb8b [docs]: Fix typo in hardening guide. 2017-06-22 22:20:17 -07:00
Armon Dadgar e184c3fa0d Merge pull request #2898 from hashicorp/docs-prod-hard
website: adding production hardening guide
2017-06-22 15:05:35 -07:00
Saj Goonatilleke a576feeb1d Fix a typo in the telemetry documentation (#2910) 2017-06-22 20:12:28 +01:00
Armon Dadgar a40d24772e Make recommendation vs requirement more clear 2017-06-22 11:02:18 -07:00
Armon Dadgar 266f55c5d9 Copy changes 2017-06-21 09:55:00 -07:00
Armon Dadgar 9ae6004dbe website copy updates 2017-06-20 21:21:04 -07:00
Armon Dadgar 10a56c7ceb website: adding production hardening guide 2017-06-20 17:44:54 -07:00
Jeff Mitchell 40ef2e5c85 More cleanup
Ping #2894
2017-06-20 10:46:24 -04:00
Jeff Mitchell 9edbf1c8d1 Clarify/fix some configuration info.
Fixes #2894
2017-06-20 10:12:59 -04:00
Jeff Mitchell 8f1f9d5522 Add ACL info to Consul configuration page 2017-06-19 19:39:52 -04:00
Raphael Randschau db4e1b4a99 CouchDB physical backend (#2880) 2017-06-17 11:22:10 -04:00
Jeff Mitchell cf7d56e8f3 Fix up CORS.
Ref #2021
2017-06-17 01:26:25 -04:00
Aaron Salvo 0303f51b68 Cors headers (#2021) 2017-06-17 00:04:55 -04:00
Jeff Mitchell 33ca94773f Add DogStatsD metrics output. (#2883)
Fixes #2490
2017-06-16 23:51:46 -04:00
Jeff Mitchell 0ea8f17357 Add some warnings to the upgrade guide 2017-06-16 13:23:22 -04:00
vishalnayak a50ce54603 doc: add radius to MFA backend docs 2017-06-15 18:31:53 -04:00
Nathan Valentine 3309496916 Clean up extra word in docs (#2847) 2017-06-12 13:08:54 -04:00
Jeff Mitchell 8b3657d840 Add note about lowercasing usernames to userpass docs 2017-06-08 09:41:01 -04:00
Cameron Stokes 8e0ac2dbb0 [docs] Add notes about deprecated database backends. (#2835) 2017-06-07 23:45:01 -07:00
Brian Kassouf 8d58b43906 update database interface in the docs 2017-06-07 11:20:13 -07:00
Joel Thompson 4a934915d7 Resolve AWS IAM unique IDs (#2814) 2017-06-07 10:27:11 -04:00
Joel Thompson 7437ada31c Check if there's a bound iam arn when renewing (#2819)
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN.  However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes #2781
2017-06-06 22:35:12 -04:00
Brian Kassouf 606fe393be Use the role name in the db username (#2812) 2017-06-06 09:49:49 -04:00
sam boyer 789d7ab4e0 Minor typos & wordsmithing for clarity (#2807) 2017-06-05 09:32:09 -07:00
Jeff Mitchell dad291c93c Add plugin_directory to configuration page (#2801)
Fixes #2795
2017-06-03 08:11:03 -04:00
Igor Katson 88118dce0f Add max_parallel parameter to MySQL backend. (#2760)
* Add max_parallel parameter to MySQL backend.

This limits the number of concurrent connections, so that vault does not die
suddenly from "Too many connections".

This can happen when e.g. vault starts up, and tries to load all the
existing leases in parallel. At the time of writing this, the value
ExpirationRestoreWorkerCount in vault/helper/consts/const.go is set to
64, meaning that if there are enough leases in the vault's DB, it will
generate AT LEAST 64 concurrent connections to MySQL when loading the
data during start-up. On certain configurations, e.g. smaller AWS
RDS/Aurora instances, this will cause Vault to fail startup.

* Fix a typo in mysql storage readme
2017-06-01 15:20:32 -07:00
Vishal Nayak 128907172f doc: leases are generated only for dynamic secrets (#2772)
* doc: leases are generated only for dynamic secrets

* Address review feedback
2017-05-31 09:47:17 -04:00
vishalnayak 9bbeff3f44 doc: Fix the sample input value for cache_size 2017-05-19 12:32:44 -04:00
Kenny Gatdula f9a71de87a Update plugins.html.md (#2744)
Minor typo and spellcheck update
2017-05-18 14:06:44 -04:00
Martins Sipenko f3f6b02682 Fix X-Vault-AWS-IAM-Server-ID example (#2728) 2017-05-15 09:06:45 -04:00
Martins Sipenko 774c70e1e2 Update aws.html.md (#2715) 2017-05-12 12:10:11 -04:00
Calvin Leung Huang 9fd39a0681 Mongodb plugin (#2698)
* WIP on mongodb plugin

* Add mongodb plugin

* Add tests

* Update mongodb.CreateUser() comment

* Update docs

* Add missing docs

* Fix mongodb docs

* Minor comment and test updates

* Fix imports

* Fix dockertest import

* Set c.Initialized at the end, check for empty CreationStmts first on CreateUser

* Remove Initialized check on Connection()

* Add back Initialized check

* Update docs

* Move connProducer and credsProducer into pkg for  mongodb and cassandra

* Chage parseMongoURL to be a private func

* Default to admin if no db is provided in creation_statements

* Update comments and docs
2017-05-11 17:38:54 -04:00
Jeremy Voorhis 3407a033ba Update the S3 storage backend docs to reflect capabilities. 2017-05-11 14:30:05 -07:00
Cameron Stokes ab7d91a506 [docs] Update glossary for auth backend terminology. (#2703) 2017-05-09 22:17:32 -04:00
Jeff Mitchell 7068292252 Update/clarify docs on generic backend ttl.
Ping #2697
2017-05-09 09:56:11 -04:00
Brian Kassouf 16e6f9640d Few docs updates 2017-05-04 14:07:12 -07:00
Calvin Leung Huang c0ce0ae499 Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor 2017-05-04 16:46:47 -04:00
Calvin Leung Huang b49993f81f Update mssql docs 2017-05-04 16:46:34 -04:00
Brian Kassouf 3c41bdfa16 update docs 2017-05-04 13:38:49 -07:00
Brian Kassouf 7dcec6e68f Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 12:40:00 -07:00
mymercurialsky 4c0e3c5d2f Implemented TOTP Secret Backend (#2492)
* Initialized basic outline of TOTP backend using Postgresql backend as template

* Updated TOTP backend.go's structure and help string

* Updated TOTP path_roles.go's structure and help strings

* Updated TOTP path_role_create.go's structure and help strings

* Fixed typo in path_roles.go

* Fixed errors in path_role_create.go and path_roles.go

* Added TOTP secret backend information to cli commands

* Fixed build errors in path_roles.go and path_role_create.go

* Changed field values of period and digits from uint to int, added uint conversion of period when generating passwords

* Initialized TOTP test file based on structure of postgresql test file

* Added enforcement of input values

* Added otp library to vendor folder

* Added test steps and cleaned up errors

* Modified read credential test step, not working yet

* Use of vendored package not allowed - Test error

* Removed vendor files for TOTP library

* Revert "Removed vendor files for TOTP library"

This reverts commit fcd030994bc1741dbf490f3995944e091b11da61.

* Hopefully fixed vendor folder issue with TOTP Library

* Added additional tests for TOTP backend

* Cleaned up comments in TOTP backend_test.go

* Added default values of period, algorithm and digits to field schema

* Changed account_name and issuer fields to optional

* Removed MD5 as a hash algorithm option

* Implemented requested pull request changes

* Added ability to validate TOTP codes

* Added ability to have a key generated

* Added skew, qr size and key size parameters

* Reset vendor.json prior to merge

* Readded otp and barcode libraries to vendor.json

* Modified help strings for path_role_create.go

* Fixed test issue in testAccStepReadRole

* Cleaned up error formatting, variable names and path names. Also added some additional documentation

* Moveed barcode and url output to key creation function and did some additional cleanup based on requested changes

* Added ability to pass in TOTP urls

* Added additional tests for TOTP server functions

* Removed unused QRSize, URL and Generate members of keyEntry struct

* Removed unnecessary urlstring variable from pathKeyCreate

* Added website documentation for TOTP secret backend

* Added errors if generate is true and url or key is passed, removed logger from backend, and revised parameter documentation.

* Updated website documentation and added QR example

* Added exported variable and ability to disable QR generation, cleaned up error reporting, changed default skew value, updated documentation and added additional tests

* Updated API documentation to inlude to exported variable and qr size option

* Cleaned up return statements in path_code, added error handling while validating codes and clarified documentation for generate parameters in path_keys
2017-05-04 10:49:42 -07:00
Brian Kassouf 5ee0d696d4 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Brian Kassouf 29bfc0a0d4 PR comments 2017-05-04 10:41:59 -07:00
Brian Kassouf ce391ca425 add new mysql plugin names and fix grammar 2017-05-03 18:41:39 -07:00
Brian Kassouf e92818e0ae Upate links in docs 2017-05-03 10:25:12 -07:00
Brian Kassouf dbb5b38e0d Add API docs 2017-05-03 02:13:07 -07:00
Brian Kassouf 63de72c10f Add custom plugins docs page 2017-05-03 00:01:28 -07:00
Brian Kassouf 50ac77be51 Update docs for the database backend and it's plugins 2017-05-02 22:24:31 -07:00
Brian Kassouf b60ff2048d Update docs and add cassandra as a builtin plugin 2017-05-02 17:04:49 -07:00
Brian Kassouf 20994c1247 Fix wording in docs 2017-05-02 16:20:07 -07:00
Jeff Mitchell 712cacaf4d Add website skeleton 2017-05-02 16:26:32 -04:00
Brian Kassouf ca7ff89bcb Fix documentation 2017-05-02 02:22:06 -07:00
Brian Kassouf a963097747 Add internals doc for plugins 2017-05-02 01:59:36 -07:00
Seth Vargo 44e1c64cfd Add UI docs (#2664) 2017-05-01 17:36:37 -04:00
Michael Ansel 30b71cbbac Add constraints on the Common Name for certificate-based authentication (#2595)
* Refactor to consolidate constraints on the matching chain

* Add CN prefix/suffix constraint

* Maintain backwards compatibility (pick a random cert if multiple match)

* Vendor go-glob

* Replace cn_prefix/suffix with required_name/globbing

Move all the new tests to acceptance-capable tests instead of embedding in the CRL test

* Allow authenticating against a single cert

* Add new params to documentation

* Add CLI support for new param

* Refactor for style

* Support multiple (ORed) name patterns

* Rename required_names to allowed_names

* Update docs for parameter rename

* Use the new TypeCommaStringSlice
2017-04-30 11:37:10 -04:00
greenbrian 90a442ec92 Fix links on Consul storage backend page (#2652) 2017-04-28 07:48:23 -04:00
Jeff Mitchell d9e639ece2 Fix types of listener options, currently they're all strings 2017-04-25 11:20:48 -04:00
Joel Thompson e06a78a474 Create unified aws auth backend (#2441)
* Rename builtin/credential/aws-ec2 to aws

The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.

* Expand aws-ec2 backend to more generic aws

This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.

* Add missing aws auth handler to CLI

This was omitted from the previous commit

* aws auth backend general variable name cleanup

Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.

* Update docs for the aws auth backend

* Refactor aws bind validation

* Fix env var override in aws backend test

Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.

* Update docs on use of IAM authentication profile

AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.

* Fix typo in aws auth cli help

* Respond to PR feedback

* More PR feedback

* Respond to additional PR feedback

* Address more feedback on aws auth PR

* Make aws auth_type immutable per role

* Address more aws auth PR feedback

* Address more iam auth PR feedback

* Rename aws-ec2.html.md to aws.html.md

Per PR feedback, to go along with new backend name.

* Add MountType to logical.Request

* Make default aws auth_type dependent upon MountType

When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.

* Pass MountPoint and MountType back up to the core

Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Matthew Gallagher 8c75c2611a Remove mention of Darwin mlock support from docs. (#2624) 2017-04-22 16:56:01 -04:00
Mitch Davis a051ec1b59 Use service bind for searching LDAP groups (#2534)
Fixes #2387
2017-04-18 15:52:05 -04:00
Jeff Mitchell 563ad2175f Update index.html.md 2017-04-18 15:50:44 -04:00
Jon Benson 73950e8fb1 Fix sentence - remove "and" 2017-04-17 19:35:04 -07:00
Jeff Mitchell ce58bfa88f Update SSH docs to indicate deprecation of dynamic key type 2017-04-17 11:11:05 -04:00
Jeff Mitchell c2407eab5a Add some extra documentation around ssh-keygen -L to see signed cert
info.

Ping #2569
2017-04-13 15:23:27 -04:00
Chris Hoffman 3c7a69b119 minor docs update 2017-04-10 09:46:25 -04:00
Jeff Mitchell 9136952055 Update AES-GCM verification text 2017-04-07 14:35:29 -04:00
Jeff Mitchell e0d00fdf7b Remove superfluous/misleading comments around some listener options 2017-04-07 14:23:56 -04:00
Jeff Mitchell f805618a2c Update SSH CA documentation
Fixes #2551
Fixes #2569
2017-04-07 11:59:25 -04:00
Jeff Mitchell d39ca0be68 Remove "these are denoted below" w.r.t. SIGHUP
SIGHUP support is denoted in the sections/options that support actions on SIGHUP, so with the new docs layout it's confusing to have the old statement in there. Remove in favor of the inline comments.

Fixes #2572
2017-04-06 16:08:58 -04:00
Sebastian Haba 3322f637ac add mssql physical backend (#2546) 2017-04-06 09:33:49 -04:00
Pavel Timofeev d2afabe4f6 Ldap auth doc fix (#2568)
* Move url parameter to the next line and fix a typo

* Add userdn paramater to the Scenario 1.
Without userdn set Vault can't search with error like

Code: 400. Errors:

* LDAP search failed for detecting user: LDAP Result Code 32 "No Such Object": 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:
        ''
2017-04-05 08:29:38 -07:00
Cameron Stokes 76c74a3995 [docs] Add header to fix formatting. 2017-04-05 10:35:59 +10:00
Cameron Stokes 1884845525 [docs] Adding missing guide from index page.
Also, make guide titles consistent with sidebar.
2017-04-05 10:22:20 +10:00
Jeff Mitchell 04bbc50ccb Add back lost Postgres creation sql for storage backend 2017-04-04 12:30:07 -04:00
Emre Erkunt de3d2438b7 Fixed an example on aws backend documentation about an iam profile. (#2522) 2017-04-04 09:03:27 -07:00
Jonathan Sokolowski a4ceaf0035 Etcd DNS discovery (#2521)
* etcd: Add discovery_srv option
2017-04-04 08:50:44 -07:00
Jeff Mitchell 9ec414016d Update SSH docs to note that host key verification is not performed. 2017-04-03 10:43:41 -04:00
Francis Chuang 917158a510 Fix typo (#2558) 2017-04-03 05:46:40 -07:00
Adam Shannon a6156d8e79 Quote dynamodb's ha_enabled property (#2547)
With `ha_enabled = true` vault crashes with the following error: 

```
error parsing 'storage': storage.dynamodb: At 17:16: root.ha_enabled: unknown type for string *ast.LiteralType
```

This seems related to https://github.com/hashicorp/vault/issues/1559
2017-03-30 14:09:47 -07:00
vishalnayak 1cfd0e94b3 docs: aws-ec2: link sts configuration from cross account access 2017-03-28 14:34:21 -07:00
Dan Everton 4ef8ce1198 Add permitPool support to S3 (#2466) 2017-03-26 14:32:26 -04:00
Jeff Mitchell 04d8f3a34d Fix AWS-EC2 sts/certificate typo
Fixes #2512
2017-03-21 13:29:40 -04:00
Jack Pearkes efa2a280aa website: update docs to clearly link to enterprise version 2017-03-21 08:41:39 -07:00
Vishal Nayak b9b68ca5e8 docs: Elaborate the steps for SSH CA backend with 'sshd_config' changes (#2507) 2017-03-19 18:52:15 -04:00
Brian Kassouf 5437cf2e51 Add note about prefix/suffix globbing on policy parameters 2017-03-17 13:53:41 -07:00
Seth Vargo 21ecbda1f4
Update titles 2017-03-17 14:37:01 -04:00
Seth Vargo 6931bbd091
Links 2017-03-17 14:27:32 -04:00
Seth Vargo d4390d103e
/docs/http -> /api 2017-03-17 14:06:03 -04:00
Jeff Mitchell d2e9e0b873 Merge branch 'master-oss' into pr-2495 2017-03-17 13:40:58 -04:00
Jeff Mitchell a38b55385a Update replication guide and add to sidebar 2017-03-17 12:38:19 -04:00
Jeff Mitchell 6109dcf7d7 Fix broken GCS account link 2017-03-17 12:12:28 -04:00
Jeff Mitchell 9bfcc0be94 Fix misspelling of website link 2017-03-17 12:07:37 -04:00
Seth Vargo 0f845ef67d
Use relative links 2017-03-16 12:04:36 -07:00
Seth Vargo bfa7fe9a3e
Fix sentence 2017-03-16 12:04:14 -07:00
Seth Vargo 5c1f017274
Reformat replication API 2017-03-16 11:57:06 -07:00
Seth Vargo 037700b86e
Update PKI backend API docs 2017-03-16 11:26:09 -07:00
Seth Vargo b340d9ff8c
Fix formatting in SSH 2017-03-16 11:25:59 -07:00
Seth Vargo faef58b355
Fix Cassandra text 2017-03-16 11:25:37 -07:00
Seth Vargo 9934b66fe0
Add new SSH field 2017-03-16 09:48:45 -07:00
Seth Vargo e86465c13b
Add SSH 2017-03-16 09:47:08 -07:00
Seth Vargo e473ee99a8
Fix TODOs 2017-03-16 09:47:08 -07:00
Seth Vargo 3fd0bd36cc
Break out API documentation for secret backends 2017-03-16 09:47:06 -07:00
Seth Vargo 19b2b049c3
Redo docs for system backend
This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.
2017-03-16 09:46:49 -07:00
Mike Okner 95df7beed9 Adding allow_user_key_ids field to SSH role config (#2494)
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name.  Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
2017-03-16 08:45:11 -04:00
Jeff Mitchell 2b98f004ac Fix layout for replication 2017-03-16 06:50:33 -04:00
Jeff Mitchell 12e5132779 Allow roles to specify whether CSR SANs should be used instead of (#2489)
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
Andy Manoske 8aa7f120b0 Vault_Enterprise_WWW (#2327) 2017-03-15 14:31:14 -04:00
Jeff Mitchell 584aedad04 Add upgrade to 0.7 page 2017-03-15 12:34:11 -04:00
Stanislav Grozev 4bc3abd152 Remove superfluous argument from SSH CA docs 2017-03-14 10:21:48 -04:00
Stanislav Grozev 7d59d7d3ac Reads on ssh/config/ca return the public keys
If configured/generated.
2017-03-14 10:21:48 -04:00
Stanislav Grozev 830de2dbbd If generating an SSH CA signing key - return the public part
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
2017-03-14 10:21:48 -04:00
Jeff Mitchell ab56fdbebf Clarify cluster_addr and cluster_address 2017-03-14 10:17:58 -04:00
Jeff Mitchell 4fa4034d50 Minor doc updates 2017-03-14 10:11:47 -04:00
Vishal Nayak 285bdf0a6f docs: clarify 'storage' and 'ha_storage' requirements (#2471) 2017-03-11 09:43:14 -05:00
Vishal Nayak 220beb2cde doc: ssh allowed_users update (#2462)
* doc: ssh allowed_users update

* added some more context in default_user field
2017-03-09 10:34:55 -05:00
vishalnayak 431070f828 doc: ssh markdown alignments 2017-03-08 21:58:12 -05:00
Seth Vargo f18318f6dd Move upgrade into guides (#2460)
* Move upgrades to guides

* Make root token copy-pastable
2017-03-08 17:33:58 -05:00
Jeff Mitchell 4d133b8423 Minor doc updates 2017-03-08 10:25:57 -05:00
Jeff Mitchell 5d760d4090 Add option to require valid client certificates (#2457) 2017-03-08 10:21:31 -05:00
Jeff Mitchell f03d500808 Add option to disable caching per-backend. (#2455) 2017-03-08 09:20:09 -05:00
Jeff Mitchell b11f92ba5a Rename physical backend to storage and alias old value (#2456) 2017-03-08 09:17:00 -05:00
Seth Vargo 624c6eab20 Separate backend configurations into their own pages (#2454)
* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages
2017-03-07 21:47:23 -05:00
Seth Vargo 1f7bdbf966
Fix http layout 2017-03-06 16:11:05 -05:00
Seth Vargo 93357d7519
Move install guides into docs layout 2017-03-06 16:11:05 -05:00
Seth Vargo 751a2bff1d
Update upgrade guides 2017-03-06 16:11:05 -05:00
Michael 412aad7c6e Updated doc to match real output (#2443)
Regards hashicorp/vault#2116
2017-03-06 10:39:34 -05:00
Vishal Nayak 491a56fe9f AppRole: Support restricted use tokens (#2435)
* approle: added token_num_uses to the role

* approle: added RUD tests for token_num_uses on role

* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell 76bec343f4 Some minor ssh docs updating 2017-03-02 16:47:21 -05:00
Will May 70bfdb5ae9 Changes from code review 2017-03-02 14:36:13 -05:00
Will May 36b3d89604 Allow internal generation of the signing SSH key pair 2017-03-02 14:36:13 -05:00
Vishal Nayak 3795d2ea64 Rework ssh ca (#2419)
* docs: input format for default_critical_options and default_extensions

* s/sshca/ssh

* Added default_critical_options and default_extensions to the read endpoint of role

* Change default time return value to 0
2017-03-01 15:50:23 -05:00
Will May ff1ff02bd7 Changes from code review
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
Will May 099d561b20 Add ability to create SSH certificates 2017-03-01 15:19:18 -05:00
Jeff Mitchell 7012d63a28 Update policies doc with allowed/denied params and min/max wrapping ttl info 2017-02-27 15:17:19 -05:00
Marshall Brekka 184b47e20c Add a TTL to the dynamodb lock implementation. (#2141) 2017-02-27 14:30:34 -05:00
vishalnayak 1518d626e3 docs: update sys heal status codes 2017-02-26 15:20:23 -05:00
Gregory Reshetniak e13fc759d8 Update sys-health.html.md
typo
2017-02-26 15:20:23 -05:00
Vishal Nayak b762c43fe2 Aws Ec2 additional binds for SubnetID, VpcID and Region (#2407)
* awsec2: Added bound_region

* awsec2: Added bound_subnet_id and bound_vpc_id

* Add bound_subnet_id and bound_vpc_id to docs

* Remove fmt.Printf

* Added crud test for aws ec2 role

* Address review feedback
2017-02-24 14:19:10 -05:00
Vishal Nayak c6f138bb9a PKI: Role switch to control lease generation (#2403)
* pki: Make generation of leases optional

* pki: add tests for upgrading generate_lease

* pki: add tests for leased and non-leased certs

* docs++ pki generate_lease

* Generate lease is applicable for both issuing and signing

* pki: fix tests

* Address review feedback

* Address review feedback
2017-02-24 12:12:40 -05:00
vishalnayak 3ddffbe574 awsec2: markdown text alignment 2017-02-23 14:52:38 -05:00
Brian Kassouf f992103615 Merge branch 'master' into acl-parameters-permission 2017-02-21 14:46:06 -08:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell 817bec0955 Add Organization support to PKI backend. (#2380)
Fixes #2369
2017-02-16 01:04:29 -05:00
Jeff Mitchell 51f7114648 Merge branch 'master-oss' into acl-parameters-permission 2017-02-15 20:37:58 -05:00
Phil Watts e2de7ec7fe Edit to the language of the description of disable_mlock on the configuration documentation page. Previous wording could lead to confusion as to the recommended setting of the disable_mlock option. (#2377) 2017-02-15 11:09:27 -05:00
Vishal Nayak b86e9bc09f aws-ec2 auth: fix docs (#2375) 2017-02-15 06:29:27 -05:00
Tommy Murphy ca06bc0b53 audit: support a configurable prefix string to write before each message (#2359)
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
P.Nikolajevs (pl) 2a79627a2e Update libraries.html.md (#2360) 2017-02-10 09:39:18 -08:00
Tommy Murphy 65b274299f docs: transit parameter is actually deletion_allowed (#2356) 2017-02-09 15:10:28 -05:00
Jeff Mitchell 72db329d67 Add support for backup/multiple LDAP URLs. (#2350) 2017-02-08 14:59:24 -08:00
Jeff Mitchell 2fd59ad308 Merge branch 'master-oss' into acl-parameters-permission 2017-02-08 01:59:52 -05:00
Jeff Mitchell f9c67273f3 Add audited headers to sidebar 2017-02-07 17:02:14 -05:00
Matteo Sessa 29d9d5676e RADIUS Authentication Backend (#2268) 2017-02-07 16:04:27 -05:00
Jeff Mitchell f3de9f57ce Add etcd API info 2017-02-07 11:33:02 -08:00
Brian Kassouf 2923934813 Merge pull request #2326 from hashicorp/pr-2161
Add Socket Audit Backend
2017-02-07 11:27:25 -08:00
Brian Kassouf 128de55742 Added a warning about the dropped socket connection edge case 2017-02-07 11:06:36 -08:00
Brian Vans 29b3cc6b00 Fixing a few typos in the docs (#2344) 2017-02-07 11:55:29 -05:00
Brian Kassouf a566097657 Add info about UNIX sockets 2017-02-06 15:56:58 -08:00
Cameron Stokes d56c0e33b3 docs: add note about request size limit (#2337) 2017-02-06 18:24:40 -05:00
Vishal Nayak 7f2717b74a transit: change batch input format (#2331)
* transit: change batch input format

* transit: no json-in-json for batch response

* docs: transit: update batch input format

* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
Brian Kassouf af1847f2b4 Update the docs and move the logic for reconnecting into its own function 2017-02-04 16:55:17 -08:00
Jeff Mitchell 1d0d353901 Fix incorrect sample URL in aws-ec2 docs 2017-02-04 19:27:35 -05:00
Harrison Harnisch b09077c2d8 add socket audit backend 2017-02-02 14:21:48 -08:00
Brian Kassouf 6701ba8a10 Configure the request headers that are output to the audit log (#2321)
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited

* Remove some debug lines

* Add a persistant layer and refactor a bit

* update the api endpoints to be more restful

* Add comments and clean up a few functions

* Remove unneeded hash structure functionaility

* Fix existing tests

* Add tests

* Add test for Applying the header config

* Add Benchmark for the ApplyConfig method

* ResetTimer on the benchmark:

* Update the headers comment

* Add test for audit broker

* Use hyphens instead of camel case

* Add size paramater to the allocation of the result map

* Fix the tests for the audit broker

* PR feedback

* update the path and permissions on config/* paths

* Add docs file

* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Vishal Nayak 5fb28f53cb Transit: Support batch encryption and decryption (#2143)
* Transit: Support batch encryption

* Address review feedback

* Make the normal flow go through as a batch request

* Transit: Error out if encryption fails during batch processing

* Transit: Infer the 'derived' parameter based on 'context' being set

* Transit: Batch encryption doc updates

* Transit: Return a JSON string instead of []byte

* Transit: Add batch encryption tests

* Remove plaintext empty check

* Added tests for batch encryption, more coming..

* Added more batch encryption tests

* Check for base64 decoding of plaintext before encrypting

* Transit: Support batch decryption

* Transit: Added tests for batch decryption

* Transit: Doc update for batch decryption

* Transit: Sync the path-help and website docs for decrypt endpoint

* Add batch processing for rewrap

* transit: input validation for context

* transit: add rewrap batch option to docs

* Remove unnecessary variables from test

* transit: Added tests for rewrap use cases

* Address review feedback

* Address review feedback

* Address review feedback

* transit: move input checking out of critical path

* transit: allow empty plaintexts for batch encryption

* transit: use common structs for batch processing

* transit: avoid duplicate creation of structs; add omitempty to response structs

* transit: address review feedback

* transit: fix tests

* address review feedback

* transit: fix tests

* transit: rewrap encrypt user error should not error out

* transit: error out for internal errors
2017-02-02 14:24:20 -05:00
Vishal Nayak 3457a11afd awsec2: support periodic tokens (#2324)
* awsec2: support periodic tokens

* awsec2: add api docs for 'period'
2017-02-02 13:28:01 -05:00